In order to set up VPNaaS, a user needs to know his router's external IP (to configure it as endpoint).
PROBLEM : When a user is not admin, the external IP of a router is not visible:
source openrc demo demo
neutron router-list
+--------------------------------------+---------+-----------------------------------------------------------------------------+
| id | name | external_gateway_info |
+--------------------------------------+---------+-----------------------------------------------------------------------------+
| 2bd1f015-6c98-4861-a078-5a69256ca7b0 | router1 | {"network_id": "8ae6890d-5bb5-4f07-9059-77499628048c", "enable_snat": true} |
+--------------------------------------+---------+-----------------------------------------------------------------------------+
neutron router-port-list 2bd1f015-6c98-4861-a078-5a69256ca7b0
+--------------------------------------+------+-------------------+-----------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+-----------------------------------------------------------------------------------+
| 8ae7206d-19af-4a2a-a15b-0f8cdb98861e | | fa:16:3e:0a:ee:14 | {"subnet_id": "c69b14f9-c2e4-4877-8516-57ff2bdeaa9e", "ip_address": "172.17.0.1"} |
+--------------------------------------+------+-------------------+-----------------------------------------------------------------------------------+
It's visible only as admin:
source openrc admin demo
neutron router-port-list 2bd1f015-6c98-4861-a078-5a69256ca7b0
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------------+
| 8ae7206d-19af-4a2a-a15b-0f8cdb98861e | | fa:16:3e:0a:ee:14 | {"subnet_id": "c69b14f9-c2e4-4877-8516-57ff2bdeaa9e", "ip_address": "172.17.0.1"} |
| fd56a686-480d-4ede-b021-010253c3de42 | | fa:16:3e:a5:d2:92 | {"subnet_id": "29f5737c-417f-4aa9-a95e-2bef3a04729e", "ip_address": "192.168.57.226"} |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------------+
Since users need to know the external IP of their router in order to set up VPNaaS this is quite blocking because it requires users to be admin in order to use this feature. It's not an issue for a private cloud, but a big issue for public clouds.
This affects the workflow used by the l3 extension to create a router's gw port and/or neutron's policy engine.